Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
27-07-2022 20:48
Behavioral task
behavioral1
Sample
576-56-0x0000000004AC0000-0x0000000004ACC000-memory.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
576-56-0x0000000004AC0000-0x0000000004ACC000-memory.exe
Resource
win10v2004-20220721-en
General
-
Target
576-56-0x0000000004AC0000-0x0000000004ACC000-memory.exe
-
Size
48KB
-
MD5
99783c5bd31b3d6b5209a10678c0c2b5
-
SHA1
81050a9fed3607bd78fd1edc221277ec1f40ffe8
-
SHA256
a2e94e993ecb8a3859a66f31e03eea471f089925d460b7d20493faa04bcae1cc
-
SHA512
e389f6322542e610f59514a2d040384e17c0a091d8aeb4ff597ba96e4d30bbbf710c54dd32f8683dc3c8f5a71c2a4007c9f6fcd6dac15719b1ab47680e1f0a2b
Malware Config
Extracted
njrat
0.7d
HacKed
easralahtane.ddns.net:3973
4c1e56ee7374309d8fa12b913734d668
-
reg_key
4c1e56ee7374309d8fa12b913734d668
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Microsoft .exepid process 1060 Microsoft .exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
Processes:
576-56-0x0000000004AC0000-0x0000000004ACC000-memory.exepid process 1800 576-56-0x0000000004AC0000-0x0000000004ACC000-memory.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Microsoft .exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4c1e56ee7374309d8fa12b913734d668 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft .exe\" .." Microsoft .exe Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\4c1e56ee7374309d8fa12b913734d668 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft .exe\" .." Microsoft .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Microsoft .exedescription pid process Token: SeDebugPrivilege 1060 Microsoft .exe Token: 33 1060 Microsoft .exe Token: SeIncBasePriorityPrivilege 1060 Microsoft .exe Token: 33 1060 Microsoft .exe Token: SeIncBasePriorityPrivilege 1060 Microsoft .exe Token: 33 1060 Microsoft .exe Token: SeIncBasePriorityPrivilege 1060 Microsoft .exe Token: 33 1060 Microsoft .exe Token: SeIncBasePriorityPrivilege 1060 Microsoft .exe Token: 33 1060 Microsoft .exe Token: SeIncBasePriorityPrivilege 1060 Microsoft .exe Token: 33 1060 Microsoft .exe Token: SeIncBasePriorityPrivilege 1060 Microsoft .exe Token: 33 1060 Microsoft .exe Token: SeIncBasePriorityPrivilege 1060 Microsoft .exe Token: 33 1060 Microsoft .exe Token: SeIncBasePriorityPrivilege 1060 Microsoft .exe Token: 33 1060 Microsoft .exe Token: SeIncBasePriorityPrivilege 1060 Microsoft .exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
576-56-0x0000000004AC0000-0x0000000004ACC000-memory.exeMicrosoft .exedescription pid process target process PID 1800 wrote to memory of 1060 1800 576-56-0x0000000004AC0000-0x0000000004ACC000-memory.exe Microsoft .exe PID 1800 wrote to memory of 1060 1800 576-56-0x0000000004AC0000-0x0000000004ACC000-memory.exe Microsoft .exe PID 1800 wrote to memory of 1060 1800 576-56-0x0000000004AC0000-0x0000000004ACC000-memory.exe Microsoft .exe PID 1800 wrote to memory of 1060 1800 576-56-0x0000000004AC0000-0x0000000004ACC000-memory.exe Microsoft .exe PID 1060 wrote to memory of 2012 1060 Microsoft .exe netsh.exe PID 1060 wrote to memory of 2012 1060 Microsoft .exe netsh.exe PID 1060 wrote to memory of 2012 1060 Microsoft .exe netsh.exe PID 1060 wrote to memory of 2012 1060 Microsoft .exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\576-56-0x0000000004AC0000-0x0000000004ACC000-memory.exe"C:\Users\Admin\AppData\Local\Temp\576-56-0x0000000004AC0000-0x0000000004ACC000-memory.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\Microsoft .exe"C:\Users\Admin\AppData\Local\Temp\Microsoft .exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Microsoft .exe" "Microsoft .exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Microsoft .exeFilesize
48KB
MD599783c5bd31b3d6b5209a10678c0c2b5
SHA181050a9fed3607bd78fd1edc221277ec1f40ffe8
SHA256a2e94e993ecb8a3859a66f31e03eea471f089925d460b7d20493faa04bcae1cc
SHA512e389f6322542e610f59514a2d040384e17c0a091d8aeb4ff597ba96e4d30bbbf710c54dd32f8683dc3c8f5a71c2a4007c9f6fcd6dac15719b1ab47680e1f0a2b
-
C:\Users\Admin\AppData\Local\Temp\Microsoft .exeFilesize
48KB
MD599783c5bd31b3d6b5209a10678c0c2b5
SHA181050a9fed3607bd78fd1edc221277ec1f40ffe8
SHA256a2e94e993ecb8a3859a66f31e03eea471f089925d460b7d20493faa04bcae1cc
SHA512e389f6322542e610f59514a2d040384e17c0a091d8aeb4ff597ba96e4d30bbbf710c54dd32f8683dc3c8f5a71c2a4007c9f6fcd6dac15719b1ab47680e1f0a2b
-
\Users\Admin\AppData\Local\Temp\Microsoft .exeFilesize
48KB
MD599783c5bd31b3d6b5209a10678c0c2b5
SHA181050a9fed3607bd78fd1edc221277ec1f40ffe8
SHA256a2e94e993ecb8a3859a66f31e03eea471f089925d460b7d20493faa04bcae1cc
SHA512e389f6322542e610f59514a2d040384e17c0a091d8aeb4ff597ba96e4d30bbbf710c54dd32f8683dc3c8f5a71c2a4007c9f6fcd6dac15719b1ab47680e1f0a2b
-
memory/1060-57-0x0000000000000000-mapping.dmp
-
memory/1060-62-0x0000000074750000-0x0000000074CFB000-memory.dmpFilesize
5.7MB
-
memory/1060-65-0x0000000074750000-0x0000000074CFB000-memory.dmpFilesize
5.7MB
-
memory/1800-54-0x0000000076291000-0x0000000076293000-memory.dmpFilesize
8KB
-
memory/1800-55-0x0000000074750000-0x0000000074CFB000-memory.dmpFilesize
5.7MB
-
memory/1800-61-0x0000000074750000-0x0000000074CFB000-memory.dmpFilesize
5.7MB
-
memory/2012-63-0x0000000000000000-mapping.dmp